Fortigate vs pfSense

At our school district, we run a 2 node HA array of Fortinet FG-900D. These run great, but are starting to get old. This is the data sheet on the FG-900D’s.

We use SSL packet inspection to aid in content filtering.

Is it too much of a stretch to expect the same or better performance if we replace these with NetGate appliances or enterprise grade servers running pfSense Plus?

If you are using SSL decrypt I wouldn’t consider using pfSense since the overhead to setup and maintain policies is a lot. Fortinet and Palo Alto are the ones I would consider.

Fortigates have so many CVE’s they haven’t cleaned up and continue to ignore them over years. The company I work for replaced 15+ fortigates with netgate appliances (pfsense).

I’d also argue that SSL inspection should be done at the endpoint level and not at the firewall.

  1. If you have work from home users then they still get the benefit of SSL inspection locally on their machine.
  2. You save your firewall resources for better performance.
  3. Save yourself the headache of keeping up with certificates.

I think SSL inspection really should be done on both endpoints and the firewall if you are looking for the best protection, but if I had to choose one it would be the firewall. I say this because a compromised system can bypass the endpoint software, but not the firewall. As for the certs, most internal issued ones are usually for a few years so not really that often. And for remote users, I would setup full tunnel connections.